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Abstract 

A theoretical framework of quantum no-key (QNK) protocol has been pre- 
sented. As its applications, we develop three kinds of QNK protocols: the 
practical QNK protocols, the QNK protocol based on quantum perfect en- 
cryption, and the QNK protocols based on Boolean function computing. The 
security of these protocols is based on the laws of quantum mechanics, other 
than computational hypothesis. 
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1. Introduction 

The earliest group of quantum message oriented protocols is suggested 
in [H, Q, Isl, which can be regarded as a quantum version of one-time pad, 
the sender and the receiver must preshare secretly a classical key. Later, a 
public-key encryption scheme of quantum message is proposed Q . Recently, 
this kind of public- key cryptosystems has been developed jsj. 

Here we consider another technique to securely transmit quantum mes- 
sage, so called quantum no-key (QNK) protocol. No-key protocol was first 
proposed by Shamir [ojl . It is a wonderful idea to transmit classical messages 
secretly in public channel, independent of the idea of public-key cryptosys- 
tem and that of secret-key cryptosystem. However, the protocol presented 
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is computationally secure, cannot resists a man-in-the-middle(MIM) attack. 
0, Isf develop a quantum from of no-key protocol based on single-photon 
rotations, which can be used to transmit classical and quantum messages 
secretly. It can be seen that the security of the QNK protocol is based on 
the laws of quantum mechanics, so it is beyond computational hypothesis, 
[ij proposed a protocol based on quantum computing of Boolean functions. 
This protocols is constructed with inherent identifications in order to prevent 
MIM attack. Similar to the idea of QNK protocol, Kanamori et al. ll| pro- 
posed a protocol for secure data communication, Kye et al.[12[ proposed a 
quantum key distribution scheme, and Kak |l3l | pr oposed a three-stage quan- 
tum cryptographic protocol for key agreement. IJ] presents a practical QNK 
protocol, and studied a new kind of attack named unbalance-of-information- 
source (UIS) attack. This kind of attack may also be effective to quantum 
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secure direct communication protocols, such as those in 

In this paper, we establish a theoretical framework of QNK protocol in 
Section m Then we discuss some practical QNK protocols in Section |3l Based 
on quantum perfect encryption, we proposed a more general QNK protocol 
in Section HJ Finally, some protocols based on Boolean function computing 
are discussed in Section |5l 



2. Essentials of quantum no-key protocol 

2.1. Classical no-key protocol 

Shamir's no-key protocol jsj is an encryption scheme to transmit mes- 
sages without preshared keys. Assume encryption functions Ea and Eb are 
commutative, Eb{Ea{*)) = Ea{Eb{*))- His idea is as follows: 

1. Alice encrypts the message M with and sends Bob the message 
Ci = Ea{M). 

2. Bob encrypts Ci with A;^ and sends Alice the message C2 = Eb{Ea{M)). 

3. Alice decrypts C2 through Da = {Ea)~^ and sends Bob 

C3 = Da{Eb{Ea{M))) = Da{Ea{Eb{M))) = Eb{M). 

4. Bob decrypts C3 with ks to get M. 

The key point of this idea is that the two encryption functions Ea and 
Eb must be commutative, 

Eb{Ea{*)) = Ea{Eb{*)). (1) 
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2.2. Some basic results relative to QNK protocol 

Lemma 1: Operators A and B are unitary similar. If there exists unitary 
transformations N and M such that NAM — B, then 

[NP-^ (8) {PMf - 7] ^ = 0, P~^BP = A; 



or 



[N<^M^ - P-^ (g) P^] ]t = 0, P-^AP = B] 

where P is unitary, are reahgnments of A, B, respectively. 

Proof: Operators A and B are unitary similar, so there exists unitary 
transformation P satisfying P'^BP = A. From NAM = B, it can be 
inferred that NP-^BPM = B. Then we can conclude [NP'^ ^{PM)^]'^ = 
That is [NP-^ (g) {PMf - J]^ = 0. 

Operators A and B are unitary similar, so there exists unitary transfor- 
mation P' satisfying P'~^AP' — B. Prom NAM — B, it can be inferred that 
NAM = P'-^AP'. Then we can conclude [N (g) M^]t = [P''^ (g) P'^]t. 
That is [N^M^ -P'-^®P'^]t = 0, where P'-^AP' = B and P' is unitary. □ 

Theorem 1: Given four groups of operators {A^, Bj^, C^, Di^\k = , d}, 
each group is a complete orthogonal basis of unitary operator space. If 
DiCkBiAk = e^^(^'')/,VA;,/, then 

^-Mk,i)j^ (g) - (g) A^j = 0, yk, I, 

where M = CkA^ is a unitary transformation only depending on k, and 
N — DiBi is a unitary transformation only depending on I. 

Proof: Because {Bi\l = 1, • ■ ■ , c?} is a complete orthogonal basis of uni- 
tary operator space, there exists satisfying ^^aiBi = I. 

Because DiCkBiAk = e"^*^'"''^/, Vfc, /, and Di is unitary, it can be inferred 
that CkBiAk = e'^^'''^Wj,Wk,l. Then 

Let J2i aie^'^^'^'^Wj = M, then M = CkAk^k. Thus M is a unitary transfor- 
mation only depending on k. 

In the same way, we can acquire 
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Let Efc = N, then N = DiB^'il. Thus is a unitary transfor- 
mation only depending on /. 

From M = CkA^ and N = DiBi, it can be concluded that Ck = MAI,Di = 
NBj. Because DiCkBiAk = e''^^'^'')/, one can obtain NBjjMAlBiAk = 
^Mk,i)j^ so e-'^c^^'^^NBlM = AlBlAk. Because B] and A^E/Afc are unitary 
similar, one can conclude from the Lemma 1 that 

□ 

Theorem 2: Suppose {^4^, S^, C^, D^jfe = I,-- - satisfy the condi- 
tions in Theorem 1, and Ck = AJ, = Sj, VA;. Then C^Bi = e''^^'''^^ BiCk is 
sufficient and necessary for DiCkBiAk = e^'^^'''^^I,\/k,l. 

Proof: (sufficient) From CkBi = e'^^^'^^ BiCk, we can know DiCkBiAk = 
e^'^('='^)A5/CfcA. Because Ck = A^ Di = B\, then DiCkBiAk = e^v^C^.O/. 

(necessary) From Ck = AI and Dk = bI, Vfc, we know that M — N — I 
and NM = DiBiCkAk = /. Because DiCkBiAk = e^'^^'^'')/, DiCkBiAk = 
e^fmDiBiCkAk. Then C^S, = e^^^'^'^^BiCk. □ 

^. 5. Quantum commutative transformation and QNK protocol 

Usually, we call two quantum transformation Ua and ^7^ are commutative 
if UaUb — UbUa- Sometimes in this paper we prefer an entended definition: 
UaUb — c^'^UbUa- Similar to commutative algorithm in Shamir's classical 
no-key protocol, quantum commutative transformations are used to construct 
QNK protocol. 

Let {UAi} and {Usi} are two sets of unitary operations, we suppose each 
pair of UAi and Ubj are commutative. The QNK protocol is as follows: 

1. Alice randomly selects a number i, and encrypts quantum state p with 
UAi, sends Bob pi — UAiPU\_. 

2. Bob randomly selects a number j, and encrypts pi with Ub and sends 
Alice p2 = = UBVAiPUiv],. 

3. Ahce decrypts p2 with U\. and sends Bob pa = U\.p2UAi — 
uIUb^Ua^pU^uI^Ua^ = uIUa^Ub^pUI^uIUa^ ^Ub.pU^^. 

4. Bob decrypts pa with Ut, and gets Ut.p^UB — p- 

3 3 



B] = 0,VA;,Z. 
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Proposition 1: Suppose both Ua and Ub are unitary transformations. 
Then the three conditions UaUb = UbUa, U^b^I^ — ^aPb ^^'^ UbU\ = 
U\Ub are equivalent. 

Proof: It can be seen that, if Ua and Ub satisfies any one of the following 
conditions: 

UaUb = UbUa, (2) 
Ulu\ = U\UI (3) 
UbU\ = U\Ub, (4) 

then UqU\UbUa = I holds. Because Ua and Ub are unitary transformations, 
U\Ua = I and U^Ub = I. From the identity U^U^UbUa = I, we can 
deduce all of the above three identities (E]),®,©. Thus U^U^UbUa = I 
is equivalent with any one of the three identities. This means the three 
conditions are equivalent. □ 

Remark 1: Three instances of quantum commutative transformation 
are as follows: 

1. Making a transformation directly on the bases: 

m m 

UBC^a.m\m)) = ^am|m © sb), 

m m 

2. Making use of an auxiliary register: 

UAC^ajn\m)\s)) = ^a^|m)|s © F4(m)), 

m m 

UBC^oim\m)\s)) = ^am\m)\s © FB{m)), 

m m 

3. Making use of two auxiliary registers: 

UAC}2ara\nimm = 5^a^|m)|F^(m))|0), 

m m 

f/ij($^a„|m)|0)|0)) = Y,a„,\m)\^)\FB{m)), 

m m 
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Remark 2: The protocol in this section does not have inherent identi- 
fication and cannot resistant man-in-the-middle attack. For example, if Eve 
intercepts pi, she does nothing before sends it back to Alice, Alice decrypts 
pi with U\. and sends p, thus Eve can obtain the message p. Therefore, we 
have to construct QNK protocol with personal identification. 

2.4- Theoretical framework of quantum no-key protocol 

Quantum message space is denoted as Hm- Two sets of pair operators 
{UkjU^.} and {Vi,VJ'} are two public sets of unitary operators which per- 
forms on Hm: where k,l e {0, 1, • • • ,d}. Alice uses the set {Uk,U'f,\k e 
{0, 1,-- - - d}}, while Bob uses the set {V^,VJ'|/ G {0, 1, ■ ■ ■ ,d}}. Suppose 
Alice wants to send quantum message p G Hm- The framework of quantum 
no-key protocol is as follows: 

1. Alice randomly selects a number k G {0, 1, ■ ■ ■ ,d}, then performs Uk 
on the quantum message p, and gets pi = UkpUl- Then she sends pi 



2. Bob receives the message pi, then randomly selects I G {0, 1, • • • ,d}. 
He performs Vi on pi, and gets p2 = VipiV^ . Then he sends p2 to Alice. 

3. Alice receives p2, then performs on p2 and gets ps = U'^p2U'^ ■ Then 
she sends to Bob. 

4. Bob receives p3, then performs V/ on p3 and gets p = V/p^Vp . 

Note that the number k and / are selected from two independent uniform 
distributions. 

Proposition 2: The protocol holds if and only if V/U'^ViUk = e'^^^'^'^h, 

Wk,le {0,1,- •• ,d}. 

Proof: It is obvious that the protocol holds if and only if 



p = v/u',ViUkpulvy;v;\yp G Hm, yk, z g {o, i, • • • , 4 

. That means, the protocol holds if and only if V/U'^ViUk = e'^^'^'^U, Vfc, / G 
{0,l,---,rf}. □ 



According to Theorem 1, we conclude from V/U'^ViUk = e''^^'"'^^! that 



where M — U^Uk is a unitary transformation only depending on k, and N — 
V/Vi is a unitary transformation only depending on I. Thus, the following 
proposition holds. 



to Bob. 



e-Mk,D^ ^M^ -Ul^U^ V/ = 0, VA;, / G {0, 1, • • • , d}, 




(5) 
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Proposition 3: Eq.(|5]) is a necessary condition for the protocol hold- 
ing. □ 

Ul, V/ = Vi . According to Theorem 



V,' 



are sat- 



Let us consider a special case of f/^ 
2 and Proposition 2, we can infer that 

Proposition 4: Suppose the conditions f/^ = U, 
isfied, then the protocol holds if and only if UlVi 

{o,i,--- ,4. □ 

Let us consider a more general framework of quantum no-key protocol, 
in which two ancillary states are used. Suppose Alice will send quantum 
message p G Hm- The ancillary states used by Alice and Bob are pa and pb, 
respectively. The framework of QNK protocol is described as (see Figured]): 



Alice 



Bob 



P 



Ua 



Ps 



Pa 



P 

Pb 



Figure 1: A general franiework of quantum no key protocol. This figure is divided into 
two part by a dashed line. The part above the dashed line describes Alice's operations, 
and the other part describes Bob's operations. The quantum state p is the plain state, and 
Pi,P2,P3 represents the three cipher states transmitted between Alice and Bob. Pa, Pb 
are two ancillary states generated randomly by Alice and Bob, respectively. 

1. Alice randomly prepare a quantum state pa, then performs Ua on the 
quantum states pa® P and gets Ua{pa p)Ua. Then she sends to Bob 
the first cipher state pi, 

pi = trAiUAipA ® p)U\) = Sa{,p)- 

She retains the state p'^ = trM{UA{pA ® p)Ua). 

2. Bob randomly prepares a quantum state p^, then performs Ub on the 
quantum states pi ® pB and gets Ub{pi ® Pb)Ub- Then he sends to 
Alice the second cipher state p2, 

p2 = trB{UB{pi ® PbWI) = Eb{pi)- 

He retains the state p'^ = trM{UB{pi ® Pb)U^b)- 
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3. Alice performs C/^ on P2, and sends to Bob the third cipher state 

4. Bob performs U'^ on ® p^, and gets the message p/, 

p> = e'fp = tvBiU'^ip, ® p'B)U'i) ^ £'b{Pz). 

This protocol holds if and only if the four quantum operations satisfy the 
condition 

E'boE'j^oEboSa^ e^'^T. (6) 

As a special case, the unitary transformations Ua,Ub can be chosen as 
bitwise controUed-unitary transformations where the message qubits act as 
control qubits, and U'^ = U\,U'^ = U^^. In this case, (/ ® Ub){Ua <S> I) — 
{Ua O /)(/ ^ Ub), and (/ U's){U'^ ^ ^ Ub){Ua ^ /) = /. 

2.5. Quantum no-key protocol with personal identification 

Denote quantum message space as Hm, identification space as Ha- Alice 
and Bob preshare an identification key {sa, sb)- The protocol is as follows: 

1. Alice randomly selects a number k e {0, 1, • ■ ■ ,d}, then performs 
Uk{sA) on the quantum message p G Hm associated with ancillary 
qubits |0)(0| e Ha, and gets pi = U^^sa) (p® |0)(0|) U^^sa)^ e Hm ® 
Ha- Then she sends pi to Bob. 

2. Bob receives the message pi, then randomly selects Z e {0, 1, • • • , d}, 
performs VJ'(sa) on pi and measures the ancillary qubits (Here it is 
required that V^'(s^) satisfies V/ {s a) piV/ {s aV = p'l O |0)(0|). After 
measurement, the message collapses to p[ G Hm- He admits pi comes 
from Alice if the result of measurement is 0. While passing the identi- 
fication, he uses Vi"{sb) to compute p2 = V{'{sb) {p[ ® |0)(0|) V/^ssy 
G Hm ® Ha, and sends p2 to Alice. 

3. Alice receives p2, then performs UI{sb) on p2 and measures the ancillary 
qubits. She admits p2 comes from Bob if the result of measurement is 0. 
After that, she uses (sa) to compute pa = U',^{sa) {p'2 ® |0)(0|) U'I^saY 
G Hm ® Ha, and sends ps to Bob. 

4. Bob receives ps, then performs Vi{sa) on p^ and measures the ancillary 
qubits. He admits pa comes from Alice if the result of measurement 
is 0. After measurement, the message collapses to quantum message 
P e Hm- 
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In this protocol, operators Uk{s), U'^{s), U'f!{s), Vi{s), V/i^s), V/'^s) are uni- 
tary transformations performing on the whole space Hm^Ha- The protocol 
is correct if and only if the following conditions hold: Vs^, sb, k, I, 

VI{sa)Uu{sa) (p® |0)(0|)f/,(s^)tV^'(s^)t = p[ ® |0)(0|, (7) 
U',{sb)VI\sb) {p[ ® \0){0\)Vr{sBM{sBy = p'2 ® |0)(0|, (8) 
Vi{sA)U'asA) {p'2 ® |0)(0|) U'^SAyViisAy = P ® |0)(0|. (9) 

Furthermore, these three equations are equivalent to the following condi- 
tions: 

Vi'{sA)Uk{sA) = UM{k,l,SA) <^ lAyk,l,SA, (lO) 

U',isB)V{'isB) = U'j^ik, /, Sb) ® /a, VA;, /, sb, (H) 
Vi{sA)U'^isA) = Ul,{k, /, sa) ® I A, VA;, /, sa, (12) 

where UM{k,l, sa), U'^.j{k,l, sb), U'l[{k,l, sa) are unitary operators perform- 
ing on Hm and satisfy the relation U'lf{k, /, SA)U'j^,i{k, I, SB)UM{k, I, sa) = Im, 

\fSA,SB,k,l. 

The preshared key {sa,sb) are used for 3 times to identify each other. 
If we require the quantum state obtained after each measurement be inde- 
pendent with the identification key {sa,sb), that means p[, p'2 and p are 
independent with sa and sb, thus UM^k, I, sa), U'j^iik, I, sb), U'lj{k^ I, sa) are 
also independent with sa and sb, the Eq. ffTOl) f|TT]) f|T2|) can be written as fol- 
lows: 

V!{sA)Uk{sA) = UM{kJ)0lA,ykJ,SA, (13) 
Uk{sB)V{\sB) = Ul,{k,l)®lA,yk,l,SB, (14) 
ViisA)KisA) = K,{k, I) ® Ia, VA;, /, sa, (15) 

where U'l,{k,l)U'M{k,l)UM{k,l) = Im, ^k,l. 

3. Practical quantum no-key protocol 

The protocols in this section are based on rotation of single photon, and 
may be implemented with current technology. 

Generally speaking, two rotation transformations on the Bloch sphere are 
not commutative, unless the axes are parallel. Thus the key technique of this 
protocol is that Bob's encryption rotation and Alice's decryption rotation 
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must be commutative. It can be proven that in this case the two axes of 
rotations must be paralleL 

Proposition 5: The rotation transformations on the sphere are commu- 
tative if and only if the axes are paralleL 

Proof: Denote two axes are ni and n2, and the rotation transformations 
f^ni(v'i) and f/n2(v^2) represents the rotation around the axes rii and n2 by 
an angle (pi and an angle 02? respectively. Because 

(ni • cr)(n2 ■ cr) = rii • n2 + icr ■ (iii x 112), (16) 

therefore 

[ni ■ cr, n2 ■ cr] = 2i(ni x n2) • cr. (17) 
For the rotation operator 

Unif) = exp ^—iipn ■ cr^ = cos-(f + in ■ crsin-yj, (18) 

we have 

[Unii^i), Un2{(f2)] = -2isin^<y5isin^<y92(ni x n2) ■ cr. (19) 

Suppose that both rotations are non-zero, then the two rotations are 
commutative if and only if the two axes are parallel. □ 



3.1. Protocol for quantum message transmissionl3j 

Let us consider the secret transmission of a quantum message in product 
state. Denote Un{^p) as a rotation around axis n by an angle (p. In Bloch 
sphere representation, the state of a qubit can be denoted as |n, (/?), which 
can be prepared using a rotation operator Un{^), |n, v?) = Un{<p) |0). The 
protocol is as follows: 

1. Alice chooses m qubits for transformation: 

|nio,(/5l), • • ■ , \nmo,<fm)- (20) 

2. Alice chooses fAiii = 1, 2, ■ ■ ■ ,m) randomly from a i^-element set 

K = — |A; = 0,l,---,2ir-l}. (21) 
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3. Alice chooses randomly nj(i=l,2,- ■ ■ ,m), and opens them. 

4. Alice prepares m single-photons, with the i-th photon in the state 

\^i)A,=UnAy^Aj\nio,^i), (22) 

then sends these photons to Bob one by one. 

5. Bob chooses (/p^i = 1, 2, ■ ■ ■ , m) randomly from the i^-element set fl2Tl) 
by means of local random number source, and changes the polarization 
directions of photons separately as below: 

= U^XVBJU^A¥^AJ\n^o,Vi), (23) 

then sends back these photons to Alice. 

6. Alice removes her encryption transformation of the photons and gets 

\^i)A,=U^AVBj\nio,y^i), (24) 

then sends them to Bob again. 

7. Bob removes his encryption transformation of the photons and gets 

|^i)i?2 = |nio, V^i), (25) 
then he gets the message fl20|) . 

Because ipAi,^Bi are chosen from set (ETi) randomly and independently. 
Eve cannot get any information from simple intercept /resend attack. Un- 
fortunately, These two protocols cannot defend MIM (of quantum channel 
only) attack, even through there is an authenticated classical channel. 

Remark 3: The quantum state in the protocol should be written in 
the form of density matrix. However, for understanding easily, the quantum 
states are written in the form of ware function instead of density matrix, 
whenever making no confusion. We can rewrite the above protocol in the 
following form: 

1. Alice chooses m photons in this quantum state 

2. Alice performs m-qubit rotation 

Ua = U^AvaJ^---®U^J¥^aJ 
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on the m qubits, and get the state 

where Pa, = UnX^Ai)\riio,Vi){T^o,Vi\Ul.{(pAi), then sends these pho- 
tons to Bob one by one. 

3. Bob performs m-qubit rotation 

Ub = C/„i (<^bJ ® • • • (8) UnJ'PBj 
on the state pi and get the state 

P2 = Psi ® • • • ® PBm 

where p^. = ?7n,(<^Bjt/ni(<^Aj|nio, V5i)(nio, <^i|t/i^.(<^Ajt/i,(<^sJ, then 
sends back these photons to Ahce. 

4. Ahce receives these qubits and removes her rotations on the qubits by 
performing rotation 

= u^A-^A,) ® • • • ® u^mi-^Aj 

on the m qubits, and then gets the state 

P3 = PAi ® ■ ■ ■ ® Pa^ 

where p'^. = C/„.(</7B.)|njo, <Pi)(njo, (^i|C4.((/7B.), then sends them to Bob 
again. 

5. Bob receives these qubits and removes her rotations on the qubits by 
performing rotation 

on the m qubits. Since Ua and Us are commutative, Bob can get the 
message p 

It can be seen that, according to Proposition 5, Ua and Ub are commu- 
tative if and only if the axes of rotations [/^.((/^aJ and UBi{(pBi) are parallel 
for every i. 
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3.2. Protocol with personal identification^] 

Personal identification is necessary to defend MIM attack. We modified 
the protocol in Section 13.11 as following: 

Alice and Bob share {vCiK = ' ' secretly before communication. 
In the second step, Alice rotates each photon by an angle ^pcXi = 1; " ' ' ; ''^)) 
then sends \(pi+ipA^+^Ci)ii = !,■■■ to Bob. It continues according to the 
original protocol and Bob will get the states \ipi + ipB^ + VCr){i = 1, ■ ■ ■ , n) in 
the fourth step. Because Bob knows the value of (pc^ and (pBi-, he can remove 
them and get the quantum message f l20p . 

The authentication information {v^CiK — ' ' can be used repeat- 
edly under the protection of continuously changed local random numbers 

{¥'A,,<^ijJi = I,-- - 



3.3. Practical scheme with mutual identification ll^ l 



In [1^, we proposed a quantum no-key protocol with mutual identifica- 
tion. In this protocol, the photons are transmitted group by group. In each 
group, there are n + m photons, n photons are used to transmit information, 
called IF-photons, m photons are used for identification, called ID-photons. 
The protocol is as follows: 

1. Alice operates IF-photons and ID-photons differently. For the j-th ID- 
photons: Alice prepares \il)j)p., where Pj is the position of the j-th 
ID- photon. For the i-th IF-photon: Ahce prepares \ips^ + v^a, + V'cJq,) 
where (pA^ is a random angle and Qi is the position of the i-th IF- 
photon. At last Alice sends the first message to Bob. 

2. For i-th IF-photon: Bob uses to get state \ipsi + V^a^ + V^c, + 
VB^)Qii where (fs^ is a random angle. For the j-th ID-photon: Bob 
uses R{—ipj) to get |0)p^. and then measures these ID-photons. If the 
m ID-photons are all in the state |0), he prepares |V'j)pj) slse prepares 
m random photons and fill them in the position of ID-photons. At last 
Bob sends the second message to Alice. 

3. After receiving the message, Alice firstly uses R{—ipj) to get \0)p. and 
then measures these ID-photons. If the m ID-photons are all in the 
state |0), Alice can make sure that the message is coming from Bob. 
Then for i-th IF-photon: Alice uses 99^.) to get state \ipsi + (fid + 
(pB,)Qi- For the j-th ID-photon: Bob uses R^ipj) to get iV'jOPj- At last 
Alice sends the third message to Bob. If Alice find there are eaves- 
dropping, she does not operate on IF-photon and fill random photons 
in the position of ID-photons. Then she sends these photons to Bob. 
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4. After receiving Alice's message, Bob measures the ID-photons to make 
sure they are in the state lipj) p. . For i-th IF-photons, Bob uses R{—f b, — 
ipd) to get \^Si)Qi- If these ID-photons are not in the state \il)'-)p., the 
message is not coming from Ahce or has been change by attacker. 

When this protocol is used to transmit classical message, it cannot resist 
MIM attack without the help of preshared (pc^. Though Eve cannot know 
which is IF-photon and which is ID-photon, he can choose randomly from 
these photons, and obtain a IF-photon with non-negligible probability. Then 
he can carries MIM attack without being found. In detail, he interactive with 
Alice and Bob. When he receives the first message from Alice, he randomly 
select the i-th photon and retains it. He prepares another photon and put 
it in position i of the message, then sends the message to Bob. When he 
receives the second message from Bob, he use the retained photon to replace 
the z-th photon in the message. Then he send the changed message to Alcie. 
In the last step, he receives the third message from Alice, he can get the i-ih 
bit if the i-ih photon is IF-photon. To resist MIM attack, the protocol can be 
modified as follows: the classical message to be transmitted are decomposed 
as a summation of n bits. All the IF-photons are prepared according to 
these n bits and are transmitted to Bob through above protocol. When Bob 
obtains these n bits, he computes the summation of these n bits and get the 
real classical message. 

3.4- Quantum no-key protocol for classical message transmission 
3.4- 1- A simple schemef^] 

Alice and Bob shares {'PCi, i = ' ' secretly before communication. 
Alice wants to transmit n bits classical message xiX2 ■ ■ ■ Xn- 

At first, she prepares n single-photons with the i-th photon in the state 
\(Pi), where = Xj ■ |. Then Alice and Bob communicate following the 
protocol in Section [321 and Bob obtains \(pi), ■ ■ ■ , (fn), where ipi = Xi ■ |. 

In the end. Bob measures the photons in bases {|0), ||)} one by one and 
gets the message xiX2 ■ ■ ■ Xn- 

3.4-2. Unbalance- of -Information- Source (UIS) attack flj] 

Wu and Yang proposed an UIS attack to quantum no-key protocol 

transmitting classical messages. If {^pc,} is reused for t times. Eve can utilize 

this unbalance to attack {^pc^}- 

Eve's strategy is: collecting all the t states \xii-^ + ipc^), ■ ■ ■ , \xif^ + (pci) 

through MIM attack. Because of redundancy, the proportion of bit and 
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bit 1 in the information source are not equal, p{0) = 0.5 + e, p{l) = 0.5 — e, 
|e| < 0.5 and e 7^ 0. Therefore, the t states can be divided into two parts 
whose proportion are p( I v^c-)) = 0.5+e andp(||+v9Ci)) = 0.5— e, respectively. 
If Eve uses base {|0), ||)} to measure half of these states, the probability of 
getting |0) is 

Po = {^ + e)cosVc, + - e)sinVc, = ^ + ecos2(pc,, (26) 
the probability of getting ||) is 

Pi = + e)sinVc, + " e)cosVc. = ^ - ecos2(^c,- (27) 

If Eve knows the parameter e of the classical message, she can obtain two 
angles: (fCn and (fds {^Cn + V'Ca = and one of them is (pc,- Then Eve 
uses the base {IfCn), I'^Cn + f )} to measure the remaining half of states, if 
the proportion that they project to l^pcn) is 0.5 + e, she knows = 'PCn, 
otherwise, (pc, = p>c,2- 

3.4-3. A scheme using Hadamard and CNOT transformations 

Alice prepares the base state \x) in a quantum register of n qubits to 
represents a classical message xofn bits, then transforms it to a superposition 
state via Hadamard transformations: 

\xiX2---Xn) ^ ^ J2 (-l)'"'"'+"'"'+-+"""1mim2---m„), (28) 

* mi,m2,...,mn 

where Xi{mi) is the value of the i-th bit of message x{m) . After that, Alice 
transmits it with the protocol described in Section 15.11 and 15.21 In the end, 
Bob should transform the state he has received to a base state via Hadamard 
transformation to get the classical message x. 

Let us consider an example for classical message transmission: Alice needs 
to transmit a ra-bit message x to Bob. Before the communication, Alice and 
Bob share two n-bit strings saiSb- The process is as follows: 

1. Alice randomly selects n + 1 n-bit numbers fc^i, ■ ■ ■ , and i. Then 
Alice prepares the quantum state \x) to represents x and transforms it 
to a superposition state with Hadamard transformation 

(29) 
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then performs the transformation 
^^(-ir-|m)|z) 

m 
TO 

where mi, • • • ,m„ are the binary string of m. It is an evidence that 
the transformation involved here can be reahzed by some CNOT gates 
(at most CNOT gates). After the computation, Ahce sends the 
2n-qubit state to Bob. 

2. Bob randomly selects n + 1 n-bit numbers ksi, ■ ■ ■ ,kBn said j, then 
computes the transformation: 

m 

TO 

® Ijemi/cBi ©■■■©m„A;s„), (31) 

and then Bob sends this 3n-qubit state back to Alice. 

3. Alice computes 

^ ^{-iy"'\m)\i © mi/cAi © • • • © mnkA„ © sb)® 

m 

® I j © mi/cs, © • • • © m„/i;B„) 

|0) b' ® ^i^Bi © • • • © mnkB„ © sa), (32) 

TO 

and then measures the i + 1 ~ 2i-th qubit to check whether they are in 
state |0). Then Alice sends the 2n-qubit state 'l2mi~^T ® 
mikBi © ■ ■ ■ © mnksr, © sa) to Bob. 

4. Bob computes 

^ J](-l)^-"^|m)|j © mi/cs, © • • • © rUnkB^ © s^) 

TO 

(33) 

TO 
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Then he does an Hadamard transformation to the n-qubit state and 
get \x). 

This protocol is also a practical one, since all computation involved can be 
implemented with Hadamard and single-level CNOT gates. It is worth to be 
investigated that whether the local random numbers fc^^, ■ ■ ■ , k^^ji, fc^^, ■ ■ ■ , 
kB„,j can protect sa and s^- 

4. QNK protocols based on quantum perfect encryption 

4.I. Quantum perfect encryption 

Suppose a set of operations Uk, k = 1,2, ■ ■ ■ , N is open, each element Uk 
is 2" X 2" unitary matrix. Let the cipher state of a n-qubit quantum message 
p is pc- In the encryption stage, Uk is applied to the quantum state, where k 
is a secret key, each k is chosen with probability pk for Alice. 

Pc = UupUl (34) 

And in the decryption stage, Ul is applied to the cipher state pc, 

p = UlpJJk. (35) 

Quantum perfect encryption is defined as for every input state p, the 
output state is a totally mixed state, that is 

J2p^^^P^I = ^- (36) 

k 

[l| constructs one perfect encryption by choosing = Uk = X°'Z^{a, [5 G 
{0,1}"). Via defining the inner product of two matrices Mi and M2 as 
Tr{MiMl), the set of all X 2'^ matrices can be regarded as an inner prod- 
uct space. Then it can be proven that the set of 2^" unitary matrices {X°'Z^} 
forms an complete orthonormal basis. Any message state p can be expanded 
as 

p = J2aa,(sX''Z^, (37) 

a, (3 

where a^^js = tr(pZ^X")/2". Boykin and Roychowdhury prove that their 
construction is perfect. 
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4-2. Quantum perfect encryption based on generalized quantum commutative 
transformations 

We propose a quantum perfect encryption scheme based on a set of gen- 
eralized quantum commutative transformation. Given two 2x2 unitary 
transformations Ui and U2, which satisfy the following relation 

U1U2 = -U2U1. 

We choose pk = Uk = U^U^,k = {a,f3), where a, /3 G {0,1}". In 
order to satisfy the requirement of quantum perfect encryption, the unitary 
transformations Ui and U2 should satisfy: {f/i, [/2, f/if/2, /} is an complete 
orthonormal basis. That is, the four unitary matrixes are mutually orthonor- 
mal. Thus, we can conclude the following formulas: 

1. = {UiU2,I) = triUlull) = tr{Ulul) = {tr{UiU2))*, that is tr(f/i[/2) = 
0. 

2. 0={UuU2) = tr{UlU2). 

3. = (Ui, U1U2) = tr{UlUiU2) = tr{U2). 

4. = {U2, U1U2) = tr{UlUiU2) = tr{UiU2Ul) = tr{Ui). 

5. = (f/i, /) = tr{Ui), that is tr{Ui) = 0. 

6. = (f/2, /) = trlul), that is tr{U2) = 0. 

Therefore, the unitary matrixes Ui and U2 should satisfy the conditions 
tr{Ui) = tr{U2) = tr{UiU2) = tr{UlU2) = and U1U2 = -U2U1. 

Similar to the security proof of {pk = Uk = X°'Z'^, k = {a, /3),a, (3 E 
{0, 1}"} in [l|, we get the following results. 

Proposition 6: {pk = ^,Uk = U^U^,k = {a, (3), a, (3 e {0,1}"} is a 
quantum perfect encryption. 

Proof: Because {U1U2 ,a, P G {0, 1}"} is a complete orthonormal basis, 
any n-qubit state p can be represented as a linear combination of these 2^" 
unitary matrixes: 

where a^,/? = tr{pU^U^) /T" . Then, 



Y.P'^Ukpul = ±.J2u^^ulpuiw, 



■7 

22" ' — 

7,(5 



-y 



a,/3 7,(5 
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From U1U2 = -U2Ui,we have U^U^ = {-1)'^-^U^U^. Thus, the above ex- 
pression is equal to 

a,/3 7,(5 
a,fi 7,(5 

Because ^ J^j^lo 1}" (~-'-)'^ ~ ^^s.O; the above formula is equal to 

a,/3 

So, the scheme is a quantum perfect encryption. □ 

There are many special cases satisfying the conditions of f/i and U2, such 
as X and Y, Y and if, X and Z. Thus, the following examples are all 
quantum perfect encryptions. 

1. PQCl:{pfc = ^,Uk = X-Yf', k={a,P),a,Pe {0, 1}"}- 

2. PQC2:{p, = ^, Uk = Y^H^, k = {a, /3),a, (3 e {0, !}"}• 

3. PQC3:{pfc = ^,Uk = X'^Z^^k = {a, (3), a, (3 e {0,1}"}. This is just 
the case introduced in [l|. 

4-3. Quantum no-key protocol based on quantum perfect encryption 

For any two unitary transformation Uk = U1U2 and Ui = 5 "^^ have 

UkUi = {U^Ui){U^,U^) 

= {-lf-f+"-\u^U^){U^U^) = {-if^+'^-^UiUk, 

where k = / = (7,5). 

Thus, according to Proposition 4, the following protocol constructed from 
the PQC:{pk = ^,Uk = U^U^, k = {a,P),a,Pe {0, 1}^ holds. 

1. Alice randomly selects aA, (3a € {0, 1}", and encrypts p with f/f'^f/^f^, 
and sends Bob pi = U^^U^^ piU^^U^^Y . 
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2. Bob randomly selects ubiPb ^ {0, 1}", and encrypts pi with Ui^U2, 
and sends Alice = U^^'U^'' pilu^^'U^'^y . 

3. Alice decrypts pa with (U^^U^^Y and sends Bob pg = (U^^U^^Y p2U"^U^ 

4. Bob decrypts ps with (f/f^?72^^)t to recover p. 

Each of the three PQCs listed in Section |42] can be used in the above pro- 
tocol. If we choose {pk = -^^Uk = Y"H^,a,l3 G {0,1}"} for the protocol. 
Then the protocol is as follows: 

1. Alice encrypts p with F^^if/^^, and sends Bob pi = Y°'^H^^pH>^^Y°'^. 

2. Bob encrypts pi with r^s^fe ^nd sends Ahce p2 = Y"'" jjI^b p^fff^By^B _ 

3. Alice decrypts p2 with if/^Ay^A ^nd sends Bob ps = H'^^Y^^piY^'^H'^^. 

4. Bob decrypts ps with H^'^Y"'^ to recover p. 

It can be seen that these protocols can also transmit classical information 
after the classical information being encoded into computational basis state. 

Remark 4: (a) When we choose the PQC {pk = ^,Uk = a,f3 e 

{0, 1}"} for the quantum no-key protocol, it is unsafe to transmit classical in- 
formation. Because after the classical bits being encoded into computational 
basis state, it will stay in computational basis state during the exchange 
in the protocol. Thus the attacker can measure the cipher in the basis 
{|0), |1)} without breaking it. And because the three ciphers transmitted 
between Alice and Bob is X""^ Z^^\m) ^X''^ Z^^ X""^ Z^^\m) ,X''b Z^^lm) (m 
is the classical message), measuring the three ciphers can achieve the three 
strings aA®m,aB®aA®fTT',aB®'m. The attacker can computes from 
the first string and the second string. Then he can computes the message m 
from the value of and the third string. 

(b) When we choose the PQC {pk = ^,Uk = X^^Y^.a^P G {0,1}"} 
for the quantum no-key protocol, it is also unsafe to transmit classical in- 
formation for the same reason. In this case, the three ciphers transmitted 
between Alice and Bob is X''^Yf^^\m) .X^^^Y^b x^AY^A^m) ^X^^^Y^b^^^ 

is the classical message), measuring the three ciphers can achieve the three 
strings a^i © /3a ffi^, «b © /^b © © /Sa ©'Ti, © /3b ©"^- The attacker can 
computes Ub® from the first string and the second string. Then he can 
computes the message m from the value of © /3b and the third string. 

Through the above remark, we know that it is better to choose the PQC 
{Pk = ■^,Uk = Y°'H^,k = {a,l3),a,l3 G {0,1}"} for the quantum no- 
key protocol. By using Y"'H'^ in the protocol, the message is just being 
encoded into the conjugate coding, and the flaw stated in the above remark 
disappears. 
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5. Quantum no-key protocol based on Boolean function computing 

5.1. Protocol for quantum message transmission^ 
A quantum message is a sequence of pure states: 

^f^ = {E"™HI^ = l'2'-^}' (38) 

m 

where m = (mi,m2, ...,mfc) G {0, 1}'^. Let us consider tlie secure transmis- 
sion of a pure state '^^Oim\'m) ■ Here "secure" means 1) Eve cannot get the 
state even when she has controlled the channel; 2) Bob can verify that the 
state really comes from Alice; 3) Alice can verify that the receiver is Bob; 4) 
Bob know whether the state has been changed in the channel. These are so 
called encryption, identification and authentication of message. 
Because the two unitary transformations 

Ua : 5^a„|m)|0)|0) -> ^a^|m)|FA(m))|0) 

m m 

and 

Ub : J]a^|m)|0)|0) ^ ^ a^|m) |0) IF^H) 

m m 

are commutative, according to Proposition 4, we can construct a quantum 
no-key protocol using this kind of unitary transformations. Here is the basic 
encryption protocol for quantum message without authentication: 

1. Alice randomly chooses a n-dimensional Boolean function 

Fa{x) = U\{x)JI{x)...JI{x)) (39) 

where f\{x) : {0, 1}^ — > {0, 1}, and performs an unitary transformation 
as below: 

^a^|m)|0) ^^a^\m)\FA{m)) (40) 

then sends the state to Bob. 

2. Bob chooses his Boolean function Fb{x) independently and randomly, 
and performs an unitary transformation as below: 

Y,am\m)\FA{m))\Q) ^Y,a„,\m)\FA{m))\FB{m)) (41) 

m m 

then sends it back to Alice. 
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3. Alice performs the following transformation: 



am\m)\FA{m))\FB{m)) 

m 

^^am\m)\FA{m)® FA{ni))\FB{ni)) ^43) 

m 

= J]a„|m)|0)|FB(m)), 

m 

and sends X^m "^ml"^) Bob. 
4. Bob does the same computation with his function Fb{x) 



— > 

m 



y^^am\m)\FB{m)) 

m 

^^am\m)\FB{m) ® FB{m)) = ^am|m)|0), 



(43) 



then gets the quantum message am\fn). 

5.2. Improved protocol with personal identificationfij 

The protocol in Section 15.11 cannot defend MIM attack, and we can mod- 
ify it by adding personal identification. Suppose Ahce and Bob preshare 
identification keys sa and sb , where sa and sb are Boolean functions. The 
modified protocol is as follows: 

1. Alice prepares the state as below: 

5^a„|m)|0)|0) -> 5^a^|m)|F^(m))|0) 

m m 

^am\m)\FA{m))\sA{m)), (44) 

m 

and sends it to Bob. 

2. Bob performs the following transformation 



— )■ 

m 



^«^|m)|F^(m))|0) (45) 
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and verifies that the message is really coming from Alice via measuring 
the third register, and then performs the following transformation: 



■^0£m\m)\FA{m))\FB{m)) 
22(^m\m)\FA(m) © SB(m))\FB(m)), 



m 
m 

and sends it back to Alice. 
3. Alice transforms the state and verifies that the quantum message is 



really coming back from Bob: 

^Q;^|m)|FA(m) © SB{m))\FB{m)) -^'^am\m)\FA{m))\FB{m)) 

m m 

^J2^rn\m)\0)\FB{m)). 



m 



(47) 



If the second quantum register is in state |0) , Alice believes that it 
really comes from Bob, otherwise she stops the protocol. When Eve 
pretend to be Alice to communicate with Bob, she can substitute the 

second register with one in the state FE{m)) , but she cannot transform 
the third register into |FB(m) © sa{itl)) if we choose sa 7^ Sb- Finally 
Alice transforms the state to ctml"^) |-^b('^) ©^^(m)), and sends it 
to Bob again. 

4. Bob transforms the state as below to get the message. 



^Q;„|m)|Fs(m) © sa(^)) ^- ^ a„|m)|Fs(m)) 

m m 

J^a^|m)|0), 



(48) 



m 



and verifies Alice's legitimacy via measuring the second register. 
In this protocol. Fa and Fb are used to protect sa and sb- 

5.3. Protocol with ancillary quantum state 

We define an unitary transformation Uf as follows: 



Uf : J]a™|m) a^(-l)^('"V), (49) 
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where / is a boolean function / : {0, 1}" — )■ {0, 1}. The unitary transforma- 
tion Uf can be implemented with the help of an ancillary qubit as 

^ , J/M)-|/(m)®l) _ ^^ffn.), J0)-|1) 
72 72 

It can be seen that Uf^Uj^ = Uf^Uj^, where Uf^ and Uf^ are defined as 
Eq. ( I49l) . A protocol for transmitting ra-qubit state Xl-m'^ml"^) based on 
them is as follows. 

Suppose a set of Boolean functions {/j} is shared by Alice and Bob. 

1. Alice randomly selects a function /yi, and performs Uf^ on '^ml"^), 

^a^|m) ^5^a„(-l)^^(™)|m), (50) 

m m 

and then sends it to Bob. 

2. Bob randomly selects a function /s, and performs Uj^ as follows, 

5^a^(-l)^-^('"V) ^ 5^ttm(-l)^-"^'"^+^^^"V), (51) 

m m 

and then sends the state to Alice. 

3. Alice performs Uf^ again, then 

5^a^(-l)^-(")+^-(™V) $^a™(-l)^-('"V), (52) 

m m 

and then sends it to Bob. 

4. Bob performs Uf^ again, 

then he gets the quantum message ^rn'^ml^)- 
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6. Discussions 

Quantum no-key protocols without personal identification cannot resist 
MIM attack. In order to resist the MIM attack, personal identification must 
be added into protocols. In Section 12.51 we describe a general way to add 
personal identification into a quantum no-key protocol. 

The protocol in Section 13.11 have no identification function. A set of 
preshared if>c^ is used for personal identification in Section 13. 2[ but Alice 
and Bob cannot identify each other in every pass during the three times of 
interactive. In the protocol described in Section 13.31 some qubits are used 
only for identification. In this protocol, Alice and Bob use the preshared 
personal information to identify each other in each pass of interactive, then 
it satisfies the way of identification introduced in Section 12.51 A protocol in 
Section 15.21 also adopts this kind of identification. It can be seen that the 
identification can be added into the protocol in Section 15.31 in the same way. 

If Alice and Bob identify each other in each time of interactive, the four 
operations performed successively by Alice and Bob must satisfy some re- 
lations. For instance, in the framework presented in Section 12. 5[ the two 
operators Uk{sA) and V^'(sa) must satisfy the following relation: 

where operators Uk{sA) and VI{sa) are both relative to the preshared per- 
sonal information sa- This formula means that the operator V/(sa) can 
remove the change of identification qubits caused by operator [/^(sa). 

Preshare personal identities sa, is necessary for identifying each other, 
so the privacy of saiSb is important to the security of the protocol. An 
essential problem of QNK protocol is whether sa.sb can be reused under 
the protection of those local random numbers of Alice and Bob. 

There are three times of transmission of quantum ciphers in a QNK pro- 
tocol. Consider of the relations among these three ciphers, it is necessary to 
investigate whether there exists a kind of attack making use of these rela- 
tions. For this kind of interactive protocol, how to define its security is still 
an open problem. 

Generally, the protocols in this paper can be used to transmit both clas- 
sical and quantum messages. While Alice transmits a classical ra-bit message 
X to Bob, she can encode the classical message into a quantum state ( one of 
computational basis states), and perform Hadamard transformations H®^ on 
this quantum state, and then transmit the quantum state to Bob. However, 
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some quantum message oriented protocols are not secure when transmitting 
classical message (see the discussions in Section IX^ 13.41 and I4.3p . Further- 
more, when the protocols in this paper are used to transmit classical message, 
whether it can resist the UIS attack described in Section 13.41 needs further 
investigation. 

Some practical quantum no-key protocols are described in Section [31 One 
of these protocols involving only rotations of single-photons can be imple- 
mented with current techniques. It is believed that protocols based on single- 
qubit rotation and single-level CNOT gates may also be implemented in the 
near future. 

7. Conclusions 

A theoretical framework of QNK protocol is proposed. Some practical 
QNK protocols are reviewed and a new protocol is presented. QNK pro- 
tocols based on the scheme of quantum perfect encryption are proposed. 
Protocols based on Boolean function computing are also discussed. Some 
of the protocols in this paper are secure against man-in-the-middle attack, 
beyond computational hypothesis. 
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